TalkTalk Falls Victim to Cyber Attack

By   ISBuzz Team
Writer , Information Security Buzz | Oct 26, 2015 09:00 pm PST

TalkTalk has confirmed that it has suffered a “significant and sustained cyber-attack.” TalkTalk has which has over 4 million customers in the UK.

While details are limited, TalkTalk has said that the hackers may have accessed its customer database – including names, addresses, date of birth, email address, telephone numbers, TalkTalk account information, credit card and/or bank details. Security Experts from AppRiver, MWR InfoSecurity, Intercede, Intel Security EMEA, Digital Guardian, Veracode, QinetiQ, Certivox, AlienVault, Imperva, Lieberman Software, Proofpoint, Certes Networks, ESET, Performanta, Rapid7, VASCO, Tripwire, HP Data Security and Centrify have the follwoing comments on it.

[su_note note_color=”#ffffcc” text_color=”#00000″]Jon French, Security Analyst of AppRiver :

“The two major things customers need to do is keep an eye on their banking information to look for fraudulent transactions, as well as be vigilant with communications. By communications, I mean they should be suspicious of any unexpected emails or phone calls that may be asking them for additional information. If someone calling or emailing you already has information like name, address, email address, or other account information, that doesn’t mean they can automatically be trusted. They may cite that data to get someone to trust them to hand over more information like a credit card or password.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Benjamin Harris, Managing Security Consultant of MWR InfoSecurity :

“As always when there is a concern that payment data may have been breached, consumers should pay attention to transactions made on their debit and credit cards and report any suspected fraudulent transactions to their card issuer. Being proactive will help to limit any damage caused by exposure of credit card information, however if consumers are heavily concerned about the confidentiality of their debit or credit card, it is recommended that they contact their card issuer to provision replacement cards, thus invalidating the previous credit or debit card used.

“It appears that TalkTalk have been proactive in this instance, and have done the correct things by issuing a public statement and involving the relevant authorities, allowing the attack to be investigated and thus limit any further damage.

“Incident response is a necessity for most organisations. In this case, it is important that organisations are both proactive and honest about any security breaches, and that they enlist the correct help from the outset. Identifying the attack mechanism is an important step in mitigating the risk, and pre-emptive actions (such as immediately destroying an infected machine) could lose vital evidence that would be useful in identifying the actual impact.

“Organisations should also regularly test their incident response plans. For example, logging and monitoring systems may not be regularly inspected. Realising that a log collation server has not been working for months and has not recorded information relating to a breach can be very frustrating, and these issues can be avoided with regular inspection.[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Richard Parris, CEO at Intercede :

“The news that TalkTalk customers have once again been impacted by a data breach should be a wakeup call for all companies serving consumers and storing their personal data. In an independent survey of 2,000 16-35 year old consumers it was revealed that very few place any significant trust in companies’ ability to protect their personal data. For telecommunications operators 40% described their level of trust as ‘none’ or ‘a little’.

“It really is time that these major businesses gave the issue the attention it deserves – they need to stop relying on simple password-based authentication and to start applying enterprise grade solutions. Protecting customers’ private data should be a top priority for any organisation. Failure to demonstrate that adequate safeguards are in place will inevitably result in customers, and revenues, disappearing.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Raj Samani, CTO for Intel Security EMEA :

“Initial reporting suggests that this attack leveraged DDoS as a potential smokescreen to hide the cyber criminals ultimate goal – data theft on a huge scale.  While it is too early to draw conclusions, we know from previous incidences, such as Operation Troy, that this tactic has been successfully used in the past. Whatever the attack method used, potentially affected customers will understandably be more concerned with finding out whether their data has been compromised. Our Hidden Data Economy report recently revealed that the marketplace for stolen data is thriving. Not only are huge amounts of stolen information readily available online, but buyers do not even have to delve into the darknet to access this information. Almost any information you can imagine can – and is – being sold online, extending far beyond credit card details.

“Data breaches and hacks are hitting the headlines on a regular basis, leaving swathes of sensitive customer details in the hands of criminals. Businesses should be ensuring the right security measures are in place to effectively protect this information. Affected organisations are learning that a quick reaction is vital – recognising when a data breach has occurred and moving quickly to inform customers is key if they are going to stop cyber criminals from exploiting any stolen data.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Luke Brown, Vice President & GM, Europe Middle East Africa India & Latam at Digital Guardian :

They say bad news comes in threes and that certainly seems to be the case for Talk Talk over the past 9 months. In the wake of two prior breaches, it’s hard to see Talk Talk’s customers giving it any more chances, particularly given the apparent severity this latest attack. But perhaps what’s more concerning is the emerging trend of attacks on telecoms providers, with Carphone Warehouse and T-Mobile also suffering data breaches in the past three months alone. With over 90% of the population owning a mobile phone, it’s easy to see why they are becoming an increasingly attractive target for hackers. The big question is, what are they doing about it? In Talk Talk’s case, it appears the answer is ‘far too little’.[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]John Smith, Principal Solutions Architect, Veracode :

“This high profile breach – in which names, addresses, and credit card details are at risk – only highlights the importance of regularly testing applications and remediating vulnerabilities.

“Companies should learn from this by adopting a proactive approach to cyber-security, frequently assessing the robustness of their networks and ensuring critical customer data is protected. They should also be ready to react, should a breach occur, to ensure they have communicated the situation with their customers and reassured them that everything is being done to plug any gaps.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Bryan Lillie, Chief Technology Officer, Cyber Security at QinetiQ :

“The increasing prevalence of cyber attacks has again been evidenced by Wednesday’s hack on TalkTalk.  The severity of these attacks against consumer organisations seems to be rising and when they come, they’re now more difficult to deal with. Once the environment has been secured, it’s important for the company to look at how the attack happened. The advice for all is to look at mistakes and vulnerabilities and tune the defence to match the threat.

“For firms to protect themselves for the future it isn’t just about identifying the specific vulnerability, but the processes – or lack of – that created the vulnerability. If it was an employee error, that may mean that the firm needs to roll out better training. If today’s attacks has been a more significant software breach, it may need to look to improve their cyber defence method and be more proactive in their system inspections.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of Certivox the Cryptography :

“Whilst it is too early with too little information released yet by TalkTalk for a more detailed analysis, the attack vectors commonly used to initialize attacks of this magnitude are to gain access by stealing employee credentials. The credentials are still all too often simply user name and password.

What the attacker knows: when a password, irrelevant of how complex the password may be is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all. The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today. Providers that claim, “We are doing everything we can” to protect customers data and consider passwords to be part of that protection are in the news all too often unfortunately.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Richard Kirk, Senior Vice President at AlienVault :

“This story is a wakeup call for the board of directors of any company, large or small. The TalkTalk CEO has been on national radio all morning and no doubt has been up all night working with her team to both discuss a recovery plan as well as try to understand what the cost will be to the TalkTalk business.

TalkTalk’s customers should consider the following :

  • Have they used the same user ID and password for other online accounts?

Whilst there is no suggestion that this information was revealed as part of the breach, many people unfortunately still use their email address and personal details (family names, addresses) as a user ID and password. This is the time to switch to using secure passwords.

  • Talk with your bank or credit card company and ask them for advice. They should know that you were one of TalkTalk’s customers, although they may already be aware of this.
  • Consider signing up for a credit check and fraud detection service. This will act as an early warning system, if anything suspicious starts to occur.””[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Amichai Shulman, CTO of Imperva :

“I have reviewed some of the data and my guess would be that the attackers used a SQL injection for at least part of the attack. My advice to customers would be to keep a close eye for fraudulent activity on back accounts and be particularly vigilant of phishing attacks. The theme that keeps repeating itself is that every time such a breach occurs, media outlets focus heavily on the stolen credit card numbers, however, in practice, for the average person the theft of personal data is much more critical.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Philip Lieberman, CEO of Lieberman Software Corporation :

“There is really not enough information to provide reliable attribution of the attack even with the provided preamble to the disclosure.   Clearly there appears to be multiple agendas in play here, but without forensics on the attack and some history on the data’s use, it is really hard to know for sure what this is all about.   The most telling information will be evidence of how and where the stolen data is used.  Customers of Talk Talk are in a holding pattern till more of the story unfolds for law enforcement.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Mike Smart, Digital Strategist at Proofpoint :

“Anyone impacted by the TalkTalk incident should assume that their confidential data is now freely available on the dark web and cybercriminals will be looking to utilise it for financial gain. Individuals should make sure they change passwords to websites that share the same password as they used to access their TalkTalk website.  They should also realise that they will be at an increased risk of email ‘phishing’ and therefore must be on the look-out for suspicious emails.

Individuals should refrain from clicking on URL links or attachments in emails they are not expecting.  If they get an email from a bank or other websites with log-in links, instead of clicking on the link in the email, they should open up a new browser session and visit the website directly.

In order to help minimise the damage of the attack, anyone who thinks they may have been affected should take immediate defensive actions by contacting their bank; this will help mitigate the financial aspects of identity theft.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Paul German, VP EMEA, Certes Networks :

Yet another breach has hit the hacking headlines, but are we surprised? Too many high-profile breaches have been under speculation so far this year, and businesses are still failing to put proper security measures in place to not only make the system more difficult to hack, but to limit the scope if a breach does occur.

Although the details of the TalkTalk breach are still unknown, one thing is for certain: TalkTalk must not have had a software-defined security strategy in place, focusing on users and applications rather than the network itself. How do we know this? If TalkTalk had cryptographically segmented its security system into predefined and clearly understood fragments, the breach would have been more manageable, instead of system wide.

The TalkTalk breach shows that assuming internal networks are safe and trusted is no longer acceptable. Hackers have turned trusted networks into playgrounds, moving laterally from system to system and liberally exfiltrating data. By compromising one user, even a contractor, hackers get past the firewall and enjoy access to essentially anything. When a no-trust security model is in place, it means that no network is trusted, inside or outside the perimeter, no user is fully trusted and equally, no device is trusted.

TalkTalk needs to take note: the most secure enterprises have adopted crypto-segmentation; meaning that they encrypt all sensitive application flows inside and outside the perimeter. To achieve this requires eliminating siloes and establishing a centralised method of creating and managing policies, and keying for end-to-end protection across all applications and networks. Building on the identity and access control technologies widely deployed, a cryptographic relationship creates a clean and unbreakable link between each user and the permitted data and applications, meaning that if a breach does occur, the hacker is limited with the information and data that it is able to exploit.

Crypto-segmentation combined with role-based access means authorised users can access applications encrypted from server to user. If a user is compromised, hackers can access only that user’s applications. Lateral movement to more sensitive applications is blocked, and the breach is therefore contained. This could have stopped the TalkTalk hackers in their tracks.

Architectures need to quickly adapt to the new world of user and application mobility by ensuring that network segmentation and application isolation can be applied across all environments, irrespective of network level control. User access control policies must be applied and enforced in real-time, across all users and applications both inside and outside the traditional firewalled perimeter.

The time for the industry to recognise that a fresh approach is needed is now. We must question how many more high-profile breaches like the one TalkTalk is currently dealing with are needed before clear and concise action is taken by the businesses most at risk.[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm ESET :

Potential implications?

“The data of all their customers will almost certainly be used for potential identity theft along with the obligatory attempts at financial access with any current information they may have attained. There was “some partial” encryption of credit card numbers we are led to believe, but businesses need to understand that all our private data has a value not just the direct financial stuff.

The majority of this haul will be used for targeted phishing attacks to gain more useable data by trying to establish a trust relationship with you by using partial true info in their attack. This is a lot more successful with even a small degree of validated information like your complete name and DOB or even home address.”

Advice for Talk Talk customers?

“Change your password now, change any passwords that are the same as your TalkTalk password and please do not ever use the same password again. Also, make sure you keep an eye on your financial transactions, not just this week but realistically anytime in the future.

Check your bank and credit card statements, make use of the obligatory credit checking service and be very weary of emails and even phone calls that could be using your stolen data from TalkTalk.”

Lessons to be learnt?

“Companies should implement proper use of cryptography, encrypting the sensitive data and hashing the passwords in cryptographically sound way. We are forced to trust companies with our data and so often that trust is lost through no fault of our own.

Keeping the public and those affected by this breach up to date with what they have, intend and will do about this should be a priority.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Elad Sharf, Security Research Manager, Performanta :

“Talk Talk’s current data breach is unfortunately not an isolated incident. Every business today is a potential victim of large scale hacks and data leaks. Threat actors have long realised now that information is power and have begun to up their attacks on corporate targets to steal vital intellectual property or consumer data. Hackers are proving time and again that they have the ability to circumvent traditional security solutions yet attacks are developing at a rate not matched by the defences. In the modern cyber-security environment, companies should adopt an assume breach mentality where they assume a hack like this will occur, or already taking place, and take steps to counteract it before it does harm.

What the third data breach in the past 12 months for TalkTalk will mean for its business with the potentially massive loss in consumer trust and revenue is unknown. What we do know is that, whilst Talk Talk is to be credited with discovering the breach themselves and notifying the public quickly, all businesses need to take proactive steps to ensure its customers information is properly monitored and secured, from external and internal threats.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Wim Remes, Manager EMEA Strategic Services at, Rapid7 :

“Even though TalkTalk mentions that the attack happened yesterday, there are reasons to assume that the attack has lasted longer than just the past 24 hours. The data was released by the attackers yesterday, that is all we can derive from what we know now.

There is no need to speculate how the attackers got in, what they were after, and what their motivations are. Attribution, in my opinion, is a zero sum game and I am confident that TalkTalk will share that information once they have connected all the dots.

What I think is important to emphasize is TalkTalk’s very strong focus on clear communication. The CEO is the person representing the company to its stakeholders in times of distress without hiding the issues. They were breached, they are working on finding out what happened, and in the mean time here is the CEO talking clearly and without hesitation about what customers can expect from them. This is literally rule number one of incident response and one that is often forgotten once a breach happens.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]John Gunn, VP of Communications, VASCO Data Security International :

“Breaches such as this are invariably followed by a wave of public outbursts from angry customers vowing to leave the service provider who suffered the breach. Unfortunately, in the end, few actually do leave and the result is that organizations have less of an incentive to protect sensitive customer data.

“The ransom demand is undoubtedly from an unrelated third party with no connection to the original breach since the stolen data is already being offered on the dark web by the criminals who committed the breach. The anonymity of internet attacks provides cunning hackers the opportunity to strike at victims in a time of confusion and panic.”

New research details a scam in which thieves embedded a listening device (two chips) in a payment card to carry out a man-in-the-middle attack, calling it “the most sophisticated smart card fraud encountered to date.”  FinExtra reports the cards: “contained two chips wired top-to-tail. The first chip from a genuine stolen card and the second a “spoof” that played the role of a man-in-the-middle, communicating with POS terminals.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Frederik Mennes, Manager of Security Competence, VASCO Data Security International :

“This is quite an amazing story. It illustrates that fraudsters may possess deep technical knowledge about security systems, and may go to great lengths to exploit them.

“One of the vulnerabilities exploited by the fraudsters was reported in February 2010 by Steven Murdoch and other researchers from Cambridge University. At that time the banking industry commented that this vulnerability would never be exploited in real life and that there were sufficient countermeasures. About a year later, criminals exploited the vulnerability (and another one that was not publically known yet). So this illustrates that the banking industry didn’t take sufficient steps to mitigate the vulnerability.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of IT Security and Risk Strategy at Tripwire :

“Security isn’t simply a setting that you can turn on after a breach. For any large organization, rolling out significant security measures can take months, if not years.

Very simply, if you collect, store or transmit personal information, it needs to be encrypted at rest and in transit. It’s not a change that occurs overnight, but it should be a clear requirement.

Even encryption isn’t a perfect solution to data theft. The sensitive data we need to protect also needs to be used by various business systems. If those systems are compromised, the data can still be accessed by attackers. Companies need to secure the configurations of their systems as well as encrypt the data they use.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Andy Heather, Vice President, HP Data Security :

“Immediately following any high profile cyber attack questions arise such as who, how and what – to a great extent this is immaterial.  Most companies do collect significant amounts of personal information on their customers such as their addresses, identification numbers and dates of birth.  If left unprotected, this information would give the attackers almost all of the information they need to undertake fraudulent activity on the a compromised user’s behalf.

This breach highlights a need for companies to place tighter controls on how their customers’ sensitive information is protected.  If data is left unprotected, it’s not a matter of if it will be compromised – it’s a matter of when.  Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances.   When a company is storing sensitive information about their customers, the risk is to the data itself.  Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection – via encryption.  It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.

Many leading companies already employ format-preserving encryption to protect the data itself.  The TalkTalk attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers’ personal information is now in the hands of cyber criminals.

The theft of financial information credit card or account information has a limited lifespan, until the victim changes the account details etc. but the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.

The value of this personal data to the cyber criminal has a much greater value, for example where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500. If the cyber criminals know where the real value is then surely we should all expect responsible organization to pay appropriate attention to keeping our  personal information safe.

Encryption of data is essential to protect customer data not just when it is stored but throughout its entire  lifecycle, wherever it is, and however is used within an organization. This, along with a robust security stance, is the only way to stop criminals profiting from stolen data.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Matt Pearson, Channel Director, EMEA, Centrify :

“This is not the first time that TalkTalk has suffered a data breach, and it is yet another example of companies not taking breaches seriously. Whilst it is clear that TalkTalk have actioned their Incident Response teams well, they should have addressed their security failings equally.

The question now is ‘why the breach occurred?’ The majority of breaches are usually as a result of someone either stealing credentials for privileged accounts or someone using a credential internally to gain access to somewhere sensitive they shouldn’t have access to. The difficulty with a breach is that once hackers have access to the network they can jump from one system to another and gain more and more knowledge about the environment, the servers, network and user accounts and ultimately find credentials for privileged admin accounts. Once they have access to these accounts, in most cases, if not all, they can then access the critical infrastructure housing valuable customer data.”[/su_note]